BoringSSL

Version: bfa8369 (commit bfa8369)

Repository: https://github.com/google/boringssl/

Docs: https://commondatastorage.googleapis.com/chromium-boringssl-docs/headers.html

Primitives

Supports P-224, P-256, P-384 and P-521. Also Curve25519. Uses fiat-crypto for the SECP curve field arithmetic and x25519.

P-224

• Short-Weierstrass

• Comb via mul_base -> ec_GFp_nistp224_point_mul_base. Fixed Window (signed, Booth) (width=5) via mul -> ec_GFp_nistp224_point_mul.

• Jacobian,

• Formulas unknown: add-boringssl-p224, dbl-boringssl-p224.

P-256

• Short-Weierstrass

• Comb via mul_base -> ec_GFp_nistp256_point_mul_base. Fixed Window (signed, Booth) (width=5) via mul -> ec_GFp_nistp256_point_mul.

• Jacobian-3,

• add-2007-bl, dbl-2001-b

P-384

• Uses defaults (described below).

P-521

• Uses defaults (described below).

ECDH

KeyGen:

• Short-Weierstrass

• EC_KEY_generate_key -> ec_point_mul_scalar_base -> meth.mul_base. Default: Fixed Window, via ec_GFp_mont_mul_base -> ec_GFp_mont_mul.

• Jacobian

• add-2007-bl, dbl-2001-b

Derive:

• Short-Weierstrass

• ECDH_compute_key -> ec_point_mul_scalar -> meth.mul. Default: Fixed Window, via ec_GFp_mont_mul.

• Jacobian

• add-2007-bl, dbl-2001-b

ECDSA

KeyGen:

• Short-Weierstrass

• EC_KEY_generate_key -> ec_point_mul_scalar_base -> meth.mul_base. Default: Fixed Window, via ec_GFp_mont_mul.

• Jacobian

• add-2007-bl, dbl-2001-b

Sign:

• Short-Weierstrass

• ECDSA_sign -> ECDSA_do_sign -> ecdsa_sign_impl -> ec_point_mul_scalar_base -> meth.mul_base. Default: Fixed Window, via ec_GFp_mont_mul.

• Jacobian

• add-2007-bl, dbl-2001-b

Verify:

• Short-Weierstrass

• ECDSA_verify -> ECDSA_do_verify -> ecdsa_do_verify_no_self_test -> ec_point_mul_scalar_public -> meth.mul_public or meth.mul_public_batch. Default: Window NAF (w=4) based interleaving multi-exponentiation method, via ec_GFp_mont_mul_public_batch.

• Jacobian

• add-2007-bl, dbl-2001-b

X25519

KeyGen:

• Twisted-Edwards

• ?? via X25519_keypair -> X25519_public_from_private -> x25519_ge_scalarmult_base.

• Has multiple coordinate systems: projective, extended, completed, Duif

• Unknown formulas. dbl, add

Derive:

• Montgomery

• Ladder via X25519 -> x25519_scalar_mult -> x25519_NEON/x25519_scalar_mult_adx/x25519_scalar_mult_generic

• xz.

• Unknown formula: ladd-boringssl-x25519 from fiat-crypto.

Ed25519

Based on ref10 of Ed25519.

KeyGen:

• Twisted-Edwards

• ?? via ED25519_keypair -> ED25519_keypair_from_seed -> x25519_ge_scalarmult_base.

• Has multiple coordinate systems: projective, extended, completed, Duif

• Unknown formulas. dbl, add

Sign:

• Twisted-Edwards

• ?? via ED25519_sign -> ED25519_keypair_from_seed -> x25519_ge_scalarmult_base.

• Has multiple coordinate systems: projective, extended, completed, Duif

• Unknown formulas. dbl, add

Verify:

• Twisted-Edwards

• Sliding window (signed) with interleaving? via ED25519_verify -> ge_double_scalarmult_vartime.

• Has multiple coordinate systems: projective, extended, completed, Duif

• Unknown formulas. dbl, add